Prevent access to arbitrary memory locations in gen_ndis_set_resp
via manipulation of buf->InformationBufferOffset. Original
implementation permits manipulation of InformationBufferOffset to
exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
within a 32byte offset as the devices packet filter. The packet filter
value may be next retrieved using gen_ndis_query_resp so it is possible
to extract specific memory regions two bytes a time.
The rndis_query_response was not modified as neither the buffer offset
nor length passed to gen_ndis_query_resp is used.
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Commit fbce985e28 to fix CVE-2022-2347
blocks DFU usb requests.
The verification of the transfer direction was done by an equality
but it is a bit mask.
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Tested-by: Marek Vasut <marex@denx.de>
Drop support for quickly deprecated DT property "snps,ref-clock-period-ns"
to prevent its proliferation.
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
GUCTL.REFCLKPER can only account for clock frequencies with integer
periods. To address this, program REFCLK_FLADJ with the relative error
caused by period truncation. The formula given in the register reference
has been rearranged to allow calculation based on rate (instead of
period), and to allow for fixed-point arithmetic.
Additionally, calculate a value for 240MHZDECR. This configures a
simulated 240Mhz clock using a counter with one fractional bit (PLS1).
This register is programmed only for versions >= 2.50a, since this is
the check also used by commit db2be4e9e30c ("usb: dwc3: Add frame length
adjustment quirk").
[ marek: Ported from Linux kernel commit
596c87856e08d ("usb: dwc3: Program GFLADJ") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Instead of using a special property to determine the reference clock
period, use the rate of the reference clock. When we have a legacy
snps,ref-clock-period-ns property and no reference clock, use it
instead. Fractional clocks are not currently supported, and will be
dealt with in the next commit.
[ marek: Ported from Linux kernel commit
5114c3ee24875 ("usb: dwc3: Calculate REFCLKPER based on reference clock") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Set reference clock period when it differs from dwc3 default hardware
set.
We could calculate clock period based on reference clock frequency. But
this information is not always available. This is the case of PCI bus
attached USB host. For that reason we use a custom property.
Tested (USB2 only) on IPQ6010 SoC based board with 24 MHz reference
clock while hardware default is 19.2 MHz.
[ baruch: rewrite commit message; drop GFLADJ code; remove 'quirk-' from
property name; mention tested hardware ]
[ marek: Ported from Linux kernel commit
7bee318838890 ("usb: dwc3: reference clock period configuration") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Balaji Prakash J <bjagadee@codeaurora.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Cache ref_clk clock pointer in struct dwc3 . This is a preparatory
patch for subsequent backports from Linux kernel which configure
GFLADJ register content based on the ref_clk rate and therefore need
access to the ref_clk pointer.
It is possible to extract the clock pointer from existing clk_bulk
list of already claimed clock, no need to call clk_get*() again.
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
The "generic_bus_%x_dev_%x" string which is printed into this buffer
can be up to 34 characters long ("generic_bus_12345678_dev_12345678").
The buffer would be clipped by snprintf() if both %x were at maximum
range. Make sure the buffer is long enough to cover such possibility.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Invoking lseek() may result in an error. Handle it.
Addresses-Coverity-ID: 376212 ("Error handling issues (CHECKED_RETURN)")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.
CVE-2022-2347
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Unlike the other 64-bit mvebu SoCs the AlleyCat5 uses the older ehci
block from the 32-bit SoCs. Adapt the ehci-marvell.c driver to cope with
the fact that the ac5 does not have the mbus infrastructure the 32-bit
SoCs have and ensure USB_EHCI_IS_TDI is selected.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
The struct is only used to overlay the MMIO region, so the behavior is
the same. This obsoletes the Kconfig option for the number of ports.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Add test coverage for blk_write() as well.
The blk_erase() is not tested for now as the USB stor interface does not
support erase.
Signed-off-by: Simon Glass <sjg@chromium.org>
The code checks the return value from uclass_first_device as well as
that the device exists but it passes on the return value which may be
zero if there are no gadget devices. Just check that a device was
returned and return -ENODEV otherwise.
Also remove the dev variable which is not really used for anything.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Fix typo that was caused by the same feature being split in to 2 different
configuration options. Replace CONFIG_USBNET_DEVADDR with
CONFIG_USBNET_DEV_ADDR
Signed-off-by: Ignacio Zamora <nachopitt@gmail.com>
When host issues "fastboot reboot fastboot", it's expected that the
board drops the USB connection before resetting.
On some boards, such as Khadas VIM3L and SEI610, this is not the case.
We observe the following error:
$ fastboot reboot fastboot
Rebooting into fastboot OKAY [ 0.004s]
fastboot: error: Failed to boot into userspace fastboot; one or more components might be unbootable.
This does not happen when we use the RST button on the board.
It can be reproduced in linux with:
# echo b > /proc/sysrq-trigger
In this case, we hit a undefined hardware behavior, where D+ and D-
are in an unknown state. Therefore the host can't detect usb
disconnection.
Make sure we always call usb_gadget_release() when a "fastboot reboot"
command is issued.
Note: usb_gadget_release() should be called before g_dnl_unregister()
because g_dnl_unregister() triggers a complete() call on each
endpoint (thus calling do_reset()).
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Remove unused ehci_{setup,shutdown}_phy() helpers now replaced by
generic_{setup,shutdown}_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Replace ehci_setup_phy() and ehci_shutdown_phy () by respectively
generic_setup_phy() and generic_shutdown_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Replace ohci_setup_phy() and ohci_shutdown_phy () by respectively
generic_setup_phy() and generic_shutdown_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Take the USB_ETHER ifdef block apart and make use of obj-$(VAR) instead
to include the source files in build. The duplicate CI_UDC entry is now
removed, the USB_DEVICE ifdef is now reduced to core.o ep.o addition,
the ether.o can be conditionally compiled in using USB_ETHER.
No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and
USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access
can occur. This is caused by the wIndex field of the usb control packet
being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4).
Signed-off-by: Alison Huffman <alisn@google.com>
Move this code out of the helper function so we can (later) add it as part
of the shared emulation code. Set a default value of 0 for buff_used since
that is what we use when there is an error.
Signed-off-by: Simon Glass <sjg@chromium.org>
In preparation for sharing the emulation code between two drivers, move
some of the fields into a new struct. Use a separate header file so it
can be used by various drivers.
Signed-off-by: Simon Glass <sjg@chromium.org>
This has the same name as a field in our local private struct, which is
confusing. Change the name to xfer_len instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
This driver is not used by any system and is long unmaintained, drop it.
There is a DWC2 OTG driver which is maintained, see CONFIG_USB_GADGET_DWC2_OTG .
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Globally replace all occurances of WATCHDOG_RESET() with schedule(),
which handles the HW_WATCHDOG functionality and the cyclic
infrastructure.
Signed-off-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Tom Rini <trini@konsulko.com> [am335x_evm, mx6cuboxi, rpi_3,dra7xx_evm, pine64_plus, am65x_evm, j721e_evm]
The host will report such error message if the fastboot device work in
full-speed mode: "Duplicate descriptor for config 1 interface 0
altsetting 0, skipping"
Fastboot device ack both full and high speed interface descriptors when
work in full-speed mode, that's will cause this issue.
Fix it.
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
Reviewed-by: John Keeping <john@metanate.com>
This converts the following to Kconfig:
CONFIG_FSL_NGPIXIS
CONFIG_SYS_FSL_QMAN_V3
CONFIG_SYS_FSL_RAID_ENGINE
CONFIG_SYS_FSL_RMU
CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
CONFIG_SYS_FSL_SRIO_LIODN
CONFIG_SYS_FSL_TBCLK_DIV
CONFIG_SYS_FSL_USB1_PHY_ENABLE
CONFIG_SYS_FSL_USB2_PHY_ENABLE
CONFIG_SYS_FSL_USB_DUAL_PHY_ENABLE
CONFIG_SYS_FSL_USB_INTERNAL_UTMI_PHY
Signed-off-by: Tom Rini <trini@konsulko.com>
The imx6q arm2 board support has been removed from U-Boot
as it did not get converted to DM.
Remove the MX6Q_ARM2 related ifdefery in the driver.
Signed-off-by: Fabio Estevam <festevam@denx.de>
SPL on mvebu loads proper U-Boot from custom Marvell kwbimage format and
therefore support for other binary formats is not required to be present in
SPL. Boot source of proper U-Boot is defined by compile time options and
therefore it is not required to enable all possible and unused peripherals
in SPL by default.
This change decrease size of SPL binaries.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Now that the PHY driver will not try to drive VBUS if it is already
driven by an external supply, there is no need to check the VBUS voltage
before powering on the PHY.
Signed-off-by: Samuel Holland <samuel@sholland.org>
ISP1760/61/63 are a family of usb controllers, here the main
goal is to support the ISP1763 hcd part found in the MPS3 FPGA
board form Arm. This is based on the kernel driver and ported
to u-boot.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Move urb code from musb only use to a more common scope, so other
drivers in the future can use the handling of urb in usb.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>